CVE-2026-43393 Overview
CVE-2026-43393 is a memory leak vulnerability in the Linux kernel's btrfs filesystem implementation. The flaw resides in the btrfs_map_block() function, which fails to release a chunk map reference when returning early with -EINVAL after calling btrfs_chunk_map_num_copies(). Each triggered error path leaks the chunk map structure that was previously looked up, leading to gradual kernel memory exhaustion over time.
Critical Impact
Repeated invocation of the vulnerable error path can exhaust kernel memory, resulting in degraded system performance or denial of service on systems using btrfs.
Affected Products
- Linux kernel (btrfs filesystem subsystem)
- Distributions shipping affected mainline and stable kernel branches
- Systems using btrfs as a primary or secondary filesystem
Discovery Timeline
- 2026-05-08 - CVE-2026-43393 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43393
Vulnerability Analysis
The vulnerability is a memory leak [CWE-401] in the btrfs block mapping logic. The btrfs_map_block() function looks up a chunk map structure that represents the physical layout of data across underlying devices. After retrieving this structure, the function calls btrfs_chunk_map_num_copies() to determine the number of available copies.
When subsequent validation logic fails and the function returns -EINVAL, the previously allocated chunk map reference is not released. The fix adds the missing free operation in the error path so the reference count is properly decremented before returning.
Root Cause
The root cause is missing cleanup logic on an error return path. The chunk map structure is reference-counted, and the early -EINVAL exit bypasses the standard release sequence that exists later in the function. Every triggering call leaks one chunk map allocation from kernel slab memory.
Attack Vector
The vulnerability requires local interaction with a btrfs filesystem to trigger the error path repeatedly. Workloads performing block-level I/O against malformed or unusual btrfs layouts can exercise the leaking code path. Sustained triggering exhausts kernel slab memory, eventually impacting filesystem stability and overall system availability.
The vulnerability is a resource management defect rather than an exploitable memory corruption issue. See the upstream commits referenced below for the exact code paths involved: Kernel Git Commit 1, Kernel Git Commit 2, Kernel Git Commit 3, and Kernel Git Commit 4.
Detection Methods for CVE-2026-43393
Indicators of Compromise
- Growing kernel slab memory consumption attributable to btrfs_chunk_map allocations over time.
- Unexplained increases in SUnreclaim reported by /proc/meminfo on btrfs-backed hosts.
- Repeated -EINVAL returns from btrfs block mapping operations visible in kernel logs.
Detection Strategies
- Monitor slab allocator statistics via /proc/slabinfo for abnormal growth of btrfs-related caches.
- Use kmemleak on kernels built with CONFIG_DEBUG_KMEMLEAK to identify leaked chunk map allocations.
- Compare running kernel versions against the patched commits listed in upstream stable trees.
Monitoring Recommendations
- Track long-term memory utilization trends on btrfs hosts and alert on sustained slab growth.
- Audit kernel build versions across the fleet to confirm patched releases are deployed.
- Capture dmesg output for btrfs subsystem warnings during heavy I/O workloads.
How to Mitigate CVE-2026-43393
Immediate Actions Required
- Apply the latest stable Linux kernel update from your distribution vendor that includes the upstream btrfs fix.
- Inventory hosts running btrfs and prioritize patching systems with long uptime or memory pressure.
- Reboot patched systems to load the corrected kernel image into memory.
Patch Information
The fix adds the missing chunk map release on the -EINVAL error path in btrfs_map_block(). The patch has been merged into mainline and backported to multiple stable kernel branches. Refer to Kernel Git Commit 1, Kernel Git Commit 2, Kernel Git Commit 3, and Kernel Git Commit 4 for the exact patches.
Workarounds
- Reboot affected hosts periodically to reclaim leaked kernel memory until patching is feasible.
- Limit exposure of btrfs volumes to untrusted workloads that may trigger the error path.
- Monitor kernel slab consumption and schedule maintenance windows before memory exhaustion impacts production.
# Verify current kernel version and check for the patch
uname -r
rpm -q --changelog kernel | grep -i "btrfs_map_block" | head
dpkg-query -W -f='${Version}\n' linux-image-$(uname -r)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
